Criminals posing as legitimate companies were able to gain access to the names, addresses, Social Security numbers and credit reports of hundreds of thousands of consumers in the databases of ChoicePoint (Alpharetta, Ga.), an aggregator of consumer data. According to the company, at least 145,000 consumers could be affected.
The damage to the financial services industry could be profound, warns Mark Rasch, senior vice president and chief security counsel for Solutionary, Inc. (Omaha, Neb.), a managed security services company. "This undermines every single assumption that we make about identity and authentication," he says. "If you can get to a data aggregator, you can get to any bit of information [banks] can use to authenticate."
To the extent that identity thieves can compile a complete dossier on any given individual, that information can be used to impersonate someone for a wide range of criminal purposes. "If I get to an aggregator, I get personal information which I can use to apply for accounts — a passport, a birth certificate, and a driver's license," observes Rasch. "If I'm a terrorist, I'd much rather travel under someone else's name."
In a release posted on ChoicePoint's Web site, the company stated: "This incident was not a breach of ChoicePoint's network or a 'hacking' incident and did not involve any of ChoicePoint's customer information."
The implication is that the thieves did not steal information about the specific banks, retailers, insurance companies, telecom companies and government agencies that do business with ChoicePoint.
Instead, the breach involved ChoicePoint's "inventory," which consists of consumer information compiled from various public-record sources, including credit reports, Social Security numbers, court records, criminal histories, license records and revocations, professional associations, purchase and sale information, liens, divorce proceedings and the like.
As required by state law under the California Security Breach Information Act (SB 1386), ChoicePoint has notified 35,000 California residents of the security breach. ChoicePoint has also said in its statement that it will notify approximately 110,000 customers outside of California, where disclosures of security breaches are not currently required.
The criminals obtained the information by creating fictitious companies and opening commercial relationships with ChoicePoint. "Where [ChoicePoint] apparently broke down is in the creation of accounts, in allowing people to create these accounts without any real background investigation-or [the criminals] were able to fool whatever background investigation they were able to do," notes Solutionary's Rasch.
Also, Rasch points out that ChoicePoint might have instituted better controls for detecting suspicious behavior by its commercial customers. "If I have a company with 200 employees, maybe I'll be doing six or seven background checks a month," says Rasch. "[The criminals] were literally going through tens of thousands of background checks. That should have been a trigger that they weren't just doing a background check - they were generating a database of personal information."
The gravity of this incident should lead to a national debate on the limits and allowable uses of personal information, observes Rasch. "We need better rules on what data aggregators can do," he says. "If they're going to have a business model to sell my data, they need to have the legal responsibility to protect it, and they need to have the responsibility, if there has been a breach, to fix the problem."
"There are benefits to the consumer for access to accurate public information," Rasch adds. "But it depends on accurate information, control over where it goes, and on only legitimate people having access."
The fallout from this incident may lead to calls for the United States to follow the lead of the European Union in terms of consumer privacy protections. "In the EU, there's this concept of ownership of data by the data subject, and the right to control the use of information by the data subject," notes Rasch. "In the U.S., what we've done is taken discrete types of information - health and financial - and wrapped protection around those."
ChoicePoint's financial services customers use the company's aggregated information for several legally-permissible reasons:
- to conduct statistical analyses of consumer behavior for targeted marketing;
- to conduct background searches on current and prospective employees;
- to determine whether to extend credit;
- to reevaluate a person's creditworthiness (and thus his or her credit terms) based on discrete events, such as a missed payment with a utility.